Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Timetics: from n/a through 1.0.53.
AnalysisAI
Missing authorization in Timetics WordPress plugin through version 1.0.53 allows unauthenticated remote attackers to bypass access controls and access sensitive administrative functions or data. With CVSS 8.2 (High), the vulnerability enables high confidentiality impact and low integrity impact against network-accessible instances. Patchstack reported this broken access control flaw, indicating potential exposure of booking systems, customer data, or administrative operations to unauthorized access without authentication.
Technical ContextAI
Timetics is a WordPress plugin by Arraytics providing appointment scheduling and booking management functionality. The vulnerability stems from CWE-862 (Missing Authorization), where security checks fail to verify user permissions before granting access to restricted functions or endpoints. This class of flaw typically occurs when developers implement authentication (verifying identity) but omit authorization checks (verifying permissions), allowing any authenticated user-or in this case, unauthenticated actors per CVSS PR:N-to access functionality intended for administrators or privileged roles. WordPress plugins commonly expose REST API endpoints or AJAX handlers that require explicit capability checks using functions like current_user_can(); omitting these checks creates authorization bypasses. The affected CPE (cpe:2.3:a:arraytics:timetics) confirms all versions through 1.0.53 contain this flaw.
RemediationAI
Immediately upgrade Timetics to version 1.0.54 or later if available, checking WordPress.org plugin repository or Arraytics vendor site for the patched release. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/timetics/vulnerability/wordpress-timetics-plugin-1-0-53-broken-access-control-vulnerability for confirmed fix version and upgrade instructions. If no patch is available, implement compensating controls: (1) Disable the Timetics plugin entirely until patched version releases-this eliminates booking functionality but removes attack surface; (2) Restrict network access to WordPress admin endpoints (/wp-admin/, /wp-json/) via IP allowlisting in .htaccess or web application firewall, limiting exposure to trusted networks only-note this may break legitimate remote admin access and mobile booking workflows; (3) Deploy WordPress security plugin with virtual patching capability (e.g., Wordfence, Patchstack) to block exploitation attempts at the WAF layer-effectiveness depends on signature coverage and may cause false positives. Monitor WordPress access logs for suspicious unauthenticated POST/GET requests to Timetics endpoints (/wp-json/timetics/v1/ or similar) as potential exploitation indicators.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29392
GHSA-7x9f-64r7-34cc